Passkeys are becoming the standard in Microsoft. What does that actually mean for your tenant?

Microsoft has long been clear about where they are headed: away from passwords and toward phishing resistant authentication. In March 2026, they are taking a major step forward.

Passkeys are automatically being enabled in all Microsoft Entra ID tenants, whether you are ready for it or not.

In this article, I look at:

• What passkeys actually are

• What Microsoft is really enabling

• The difference between a new tenant and an established tenant with history

• The different approved authentication methods

What is a passkey?

A passkey is a phishing resistant authentication method. Instead of a password, which is a shared secret, passkeys use a public and private key pair:

The private key is securely stored on the user’s device, such as a PC, mobile phone, or security keyThe public key is stored in Microsoft Entra IDSign in happens when the user unlocks the private key using biometrics or a PIN

Two types of passkeys you need to know about

As Microsoft rolls out passkey profiles, an important distinction is introduced:

Device bound passkeys

• The private key is stored on a single physical device

• New registration is required per device

• Highest level of controlEquivalent to classic FIDO2 usage

Synced passkeys

• The private key is synchronized via the platform, such as iCloud Keychain or Google Password Manager

• Register once and use across multiple devices

• Much easier for the end userLess control if device requirements are not enforced

What is Microsoft actually enabling?

From March 2026:

• Passkey profiles become generally available

• Tenants that have not actively chosen to configure this will be enabled automatically

• Existing FIDO2 configurations are moved into a Default passkey profile

• The passkeyType is set based on the current attestation status

In practice, this means:

• If you do not enforce attestation today→ Synced passkeys will be allowed by default

• Microsoft managed registration campaigns will start prompting users to register passkeys, unless you have explicitly changed this configuration yourself

New tenant vs established tenant

Newly created tenant

A new tenant with no history often has:

• Few or no legacy MFA methods

• Limited policy sprawl

• Simpler Conditional Access

  
  

In this scenario, passkeys can be:

• Introduced early

• Managed through groups

• Built correctly from day one

This is the “dream scenario” Microsoft often documents.

Established tenant with many users

Here, the picture is often very different:

• SMS based MFA is still in use

• Old exceptions in Conditional Access

• “MFA is enabled” often only means Authenticator or SMS

  
  

The problem:

Microsoft enabling passkeys by default is, in principle, very good news. But as with many things in Entra ID:

Passkeys are here to stay. The question is not whether you should adopt them, but how.

If you take control now, this can become one of the biggest security improvements your tenant has seen in a long time.

A complete overview of approved authentication methods in Microsoft: Microsoft Entra Authentication Overview - Microsoft Entra ID | Microsoft Learn

Phishing resistant methods

• FIDO2 security keys and passkeys

• Windows Hello for Business

• Certificate based authentication (CBA)

  
  

Non phishing resistant methods

• SMS

• Voice call

• One time passwords (TOTP)

• Push notifications in Authenticator

  
  

Want to dive deeper into technical details and configuration?I recommend the blog posts from Per Torben inAGDERINTHE.Cloud

Huge Entra Passkeys changes – Part 1 – Agder in the cloud Huge Entra Passkeys changes – Part 2 – Agder in the cloud

Bjørnar&AI